[RFC PATCH] use sulogin in single-user mode
Tony Nelson
tonynelson at georgeanelson.com
Fri Jan 22 21:34:04 UTC 2010
On 10-01-22 13:29:11, Bruno Wolff III wrote:
> On Fri, Jan 22, 2010 at 13:15:04 -0500,
> Tony Nelson <tonynelson at georgeanelson.com> wrote:
> >
> > Put SELinux into Permissive mode for single-user mode? Or just
> > print a suggestion to do that? (I'd think that SELinux would
> > normally be perceived as an obstacle to the normal uses of single-
> > user mode.)
>
> I think doing it automatically is a bad idea. It doesn't save much
> over typing "setenforce 0". It does however reduce the security of
> the system if you do it by default and there is a vulnerable window
> before you get "setenforce 1" entered.
What external threats is the system vulnerable to in single-user mode?
Networking is off and there are no other users. The only threat I know
of is PEBKAC.
> The notice seems odd, but I don't think it would cause actual
> problems. I just think it would be odd to know to boot to run level 1
> without knowing how to set selinux to permissive mode.
1) not when you're just starting out.
2) not when you're hurrying because an important system won't boot.
3) not when you forgot about selinux.
The notice should print only when /selinux/enforce exists and contains
"1" (/usr may not be mounted, so we can't depend on /usr/sbin/
sestatus at that time).
--
____________________________________________________________________
TonyN.:' <mailto:tonynelson at georgeanelson.com>
' <http://www.georgeanelson.com/>
More information about the devel
mailing list